We build privacy protections into Azure through Privacy by Design, a program which describes how we build and operate products and services to protect privacy. Standards and processes that support Privacy by Design principles include the Microsoft Online Services Privacy Statement (which details Microsoft’s core privacy requirements and practices) and the Microsoft Secure Development Lifecycle (which includes addressing privacy requirements). We then back those protections with strong contractual commitments to safeguard customer data, including offering EU Model Clauses (which provides terms covering the processing of personal information), and complying with international standards. Microsoft uses customer data stored in Azure only to provide the service, including purposes compatible with providing the service. Azure does not use customer data for advertising or similar commercial purposes.
Contractual commitments. Microsoft was the first major cloud service provider to make contractual privacy commitments that help assure the privacy protections built into in-scope Azure services are strong. Among the many commitments that
Microsoft supports are:
Restricted access by Microsoft personnel. Access to customer data by Microsoft personnel is restricted. Customer data is only accessed when necessary to support the customer’s use of Azure. This may include troubleshooting aimed at preventing, detecting, or repairing problems affecting the operation of Azure and the improvement of features that involve the detection of, and protection against, emerging and evolving threats to the user (such as malware or spam). When granted, access is controlled and logged. Strong authentication, including the use of multifactor authentication, helps limit access to authorized personnel only. Access is revoked as soon as it is no longer needed.
Notification of lawful requests for information. Microsoft believes that customers should control their data whether stored on their premises or in a cloud service. We will not disclose Azure customer data to law enforcement except as a customer directs or where required by law. When governments make a lawful demand for Azure customer data from Microsoft, we strive to be principled, limited in what we disclose, and committed to transparency.
In its commitment to transparency, Microsoft regularly publishes a Law Enforcement
Requests Report that discloses the scope and number of requests we receive.
Greater transparency and simplicity of data use policies.
Microsoft keeps customers informed about the processes to protect data privacy and security, including practices and policies. Microsoft also provides the summaries of independent audits of services, which helps customers pursue their own compliance.